Transcript
This is Daniel Tirolato, VP of Healthcare at Forescout, and I'm here with Daniel Dos Santos. Daniel, do you want to introduce yourself? Yeah, sure. I'm the Vice President of Research at Forescout, leading Vitteri Labs. Thank you, Daniel. And thanks, everyone, for watching. Today, we're going to talk about how to manage third-party risk and supply chain risks, specifically for healthcare. Healthcare security, hospital security posture is not only determined by the efforts and control that a hospital puts in place, but because of all the remote access, remote connectivity that vendors, OEM, device manufacturers have in the hospital to help providing patient care, the security posture of a hospital is really the sum of its own plus all the security posture or the exposure that these third-party connections create. Therefore, when one of these third parties gets compromised, the whole security of the hospital and the health organization gets compromised as well. And healthcare organization needs to act fast before threats and malware or whatever is in the third-party head propagates to their own network. I'm just back, actually, from a three-week tour between conferences. I've been at the Critical Infrastructure Security Conference first, then I've been visiting customers for an entire week, and eventually been at HIMSS last week, the big healthcare conference. And in all these three events and in all this customer conversation, third-party risk was really top of mind. And this is even before the incidents that we read in the news last week that actually made pretty much every healthcare provider on the planet panic a bit and recur to basically drastic measures to protect their own network. So what we're going to talk about today here is, first of all, if you are a healthcare organization and you've already been affected or impacted by a third-party incident, we're going to provide you some quick tips that you can follow to secure your network better in a responsive fashion. Then I'm going to give the word to Daniel to talk a little bit more in a broader sense about the threat actors that are targeting healthcare, in particular Iranian cyber groups that are, given the current geopolitical situations, are increasing their activity in the healthcare space and critical infrastructure space more generally. And lastly, we will give you some more proactive steps, some fundamental steps you can take so that next time such an incident occurs, you're going to be more prepared and be able to act in a more controlled way, in a more informed way. So starting with the first part of this LinkedIn Live video, tactical steps. If you've already been targeted, if you've already been subject or victim of a third-party incident, so if one of your third-party suppliers has been breached by threat actors, by malware, and so on and so forth, there are a few things you can do right away to make sure that the threats don't propagate to the network. The first one is, obviously, identify all the active vendor connections to your infrastructure. So what you want to determine is what devices, data, or applications those vendors can access, and whether access is persistent, remote, or session-based, because depending on that, you can determine how to interrupt that access. And this is really the first step, because without visibility into vendor connections, response efforts are really kind of a guesswork, and we want to avoid guessworks as much as we can. The second step, depending on the type of connectivity you have, if the connectivity is non-essential, so if you have non-essential vendor access or access unrelated to active patient care, we recommend immediately suspending the connection, so severe the connection with a third party, which means disable remote access sessions, revoke VPN or gateway access, and temporarily isolate vendor-owned devices whenever possible. Again, this is if you have non-essential vendor access, so not directly linked to patient service delivery. If, on the other hand, you have remote access from this impacted third-party vendor, compromised third-party vendor that cannot be fully severed due to clinical or operational dependencies, then we recommend, at a minimum, to keep a closer eye than usual on that communication, on that traffic. So monitor the traffic for anomalies, limit access to only required systems, to strictly required systems and protocols, watch for abnormal behavior that could indicate, for example, lateral movement or any unexpected communication patterns, especially in times of incidents, you want to avoid those. But also increase the scrutiny of authentication, traffic flows, and device posture. And last but not least, alongside or besides this direct connectivity in your infrastructure, direct connectivity to your network, actually many healthcare breaches escalate through other channels, like email, for example, or identity compromise, rather than direct network intrusion. So what you want to do is probably restrict inbound emails from affected vendor domains, whether for phishing or social engineering attempts tied to the incident, or related to the third-party that was compromised. And you want to definitely work very closely with IT and security to prevent credential abuse. Because a lot of these third-parties or threat actors, what they do is they look for credentials that give them access to a lot of your system, and trying to exploit those credentials to maximize damage. So these are really four or three steps that you can take immediately in case you've been impacted by a third-party incident, in case one of your suppliers has been compromised. But now, besides or beyond the current situation and the current urgency that you're facing, we want to look at this or help you look at this a bit more broadly and proactively, and help you protect not only from this specific incident that you're facing now, but to potential broader set of incidents that are going to occur given the current geopolitical climate. So Daniel, can you please help us out here and tell us a little bit more about what threat actors are doing, what tactics and techniques you are using, and specifically to the Iranian cyber threat actors that are now on the prowl? Yeah, for sure. Thank you, Daniel. So first of all, very good tips that you mentioned there for a reaction to an incident, right? I think that the first thing we need to keep in mind is that geopolitics is more and more often influencing cyberspace, right? And that has been happening at least since the past half a decade when we had the invasion of Ukraine by Russia, and now obviously whatever is going on in the Middle East. So we saw that back in 2022, after the invasion, there was a big spike in hacktivist activity, in state-sponsored threat actors, and everything kind of in between, right, state-sponsored hacktivists as well, and cybercriminals and so on. And we are seeing something very similar happening again, given the situation in the Middle East, right? So they are different threat actor groups, they are now aligned mostly pro-Iranian, pro-Palestinian, anti-Israeli, anti-US, and so on. But the kind of the models of Iran is very similar to things that we have seen in the past and things that we have been tracking for a while. So the main, and I think the most important message, and it kind of aligns with some of the things you said at the beginning, is that the tools, the techniques, the kind of the procedures that they use are not necessarily always new things, right? They are reusing the same techniques over and over again because they work very well. So two things to really keep in mind that threat actors, and especially Iranian threat actors, have been looking at and kind of claiming and boasting online are reuse of credentials, and that really connects to what you said right at the end, right? We have been seeing communications of threat actors mentioning either that they are selling access to specific organizations or that they have gained initial access to organizations via credentials that were bought from underground forums, that were shared before, and so on and so on. So really paying attention to credentials is really important. Whenever there is an incident, as you mentioned, involving a third party, if there was any chance that credentials, passwords, usernames, and so on were exfiltrated out of that third party data, you really should consider as probably one of the first steps after cutting the connections, as you mentioned, rotating these credentials, you know, recycling things and basically not using the same passwords over and over again. The second thing that definitely organizations need to keep in mind is whatever you have exposed on the internet, right? Wherever you have that is internet accessible, whether that is edge devices, you know, firewalls, routers, VPN appliances, and so on, or devices that should be internal to the network but are exposed for any reason. And there, if we talk specifically about health care, we sometimes see things like IP cameras, building automation devices, and some of that type of technology being misconfigured and exposed online, right? So paying attention to the credentials and the vulnerabilities that might be exploited on those internet connected devices. A third point that is not related only to, you know, the attacks that we see coming out of Iranian groups or the hacktivist activity or the state-sponsored activity, but it's something that is very popular with cyber criminals these days, is gaining access via third-party applications as well, right? So as you mentioned before, vendor applications, things like that, that have a direct connection with internal assets in organizations. So last year, there were a couple of very big software as a service companies that were breached, and their access to customer data was leveraged for further compromise, right? So it's not just the credentials, it's not just the internal assets that you have exposed, but also the applications that are using authentication tokens and things like that, where the trust is established there, even without necessarily passwords. So I think that looking at those three points and how threat actors are looking at them these days and exploiting them would go a long way towards protecting your network, for sure. Thank you, Daniel. And we also were discussing earlier about the increased use or abuse of, let's say, non-traditional endpoints as entry point or access vector. Is that still the case? Is that the case also for health organizations? Yeah, absolutely, absolutely. So that kind of goes into what I mentioned for the exposed devices, right? What we see often in health care and in other environments these days is the use of edge devices as an initial access point, right? So the routers, the firewalls, the VPNs, the load balancers, whatever is kind of on the perimeter of the network that can be abused, is being abused very often. And from there, threat actors move kind of internally on the network, right? And that obviously brings the point of segmentation, right? It's one of the issues that really is very important, especially in health care environments, that you want to keep kind of the clinical network and anything that is patient-connected separate from these dangerous, risky initial access points. Yeah, thank you, Daniel. So taking what you just said and generalizing what I mentioned earlier, we can draw some conclusion and establish some fundamental steps that health care organizations can take to more proactively prevent bad things from happening, whether it's third-party compromise or lateral movement or threat actors targeting health care organization there, a health care organization directly. So there are a few steps that they can take to make their cybersecurity posture more mature and more prepared for these type of situations and basically have to be or have the information at hand when they see a compromise happening to react faster. So the first one of these steps is to establish full and continuous visibility into their clinical systems and their systems surrounding those clinical systems. So medical devices, so maintain really real-time visibility into the medical devices themselves, so the clinical environments, but also, like you just said, the IoT devices, like building automation devices and badge readers and so on, access control, like physical access control systems. So everything that basically surrounds the medical devices, as well as the IT equipment that is used in use in hospitals from doctors, nurses or simply employees of the hospital. So maintain real-time visibility to every device, including vendor-owned and including those unmanaged devices that are increasingly used by third-party actors. And the goal here is to eliminate blind spots that eventually delay the identification and containment of threats, third-party threats or internal threats, as well as increase eventually as a consequence risk to the patient care and service delivery. So full visibility is number one. The second one is understanding who is connecting in and out of your network. So get a clear mapping of vendor access to patient critical assets. So knowing a vendor is connected is not enough. You need to know what the vendor can access, especially around systems that are dedicated to patient care. So what device is dedicated to patient care they can access or devices with EPHI, because a lot of threat actors are after that EPHI, so electronic personal health information, because that's that's what's really valuable for them on the on the black market or to basically ask for a ransom to the health care provider and identify unnecessary exposure. For example, do you have too many systems that the third-party vendor can access? Can you restrict some of those systems? Can you restrict some of some of that access or some of those protocols? And eventually spot pathways that enable spread of ransomware that are really not required from that vendor to basically deliver the service is supposed to deliver to you to basically enable your patient care delivery. The third step is layer risk context around those assets. You talked a little bit, Daniel, about about it earlier. So prioritize third-party risk based on like on the devices, for example, that are vulnerable, the devices that are exposed, maybe Internet exposed, maybe simply overexposed because they have too many parts of the devices that maybe have default credentials. You talked about credential abuse. So understand that the risk and exposure posture of all those devices so that you can prioritize mitigation and response steps accordingly. And in a hospital network, prioritization cannot forget or cannot go without the impact. So the impact that the loss of a device or the compromise of a device has for patient care. So risk prioritization really needs to take into account the likelihood of the device being compromised and the impact it has if it actually is compromised so that you can fix the most impactful devices and networks first. The fourth step would be enforce least privilege access. So network access control, firewalling, putting firewall rule in place whenever possible. So make sure that you dynamically limit vendor access to really only what is necessary based on the vendor itself, the identity of the vendor, the device posture, the dynamic posture of each device, the sensitivity and impact that a certain asset has to patient care delivery, and eventually real time risk. Eventually, that's what HIPAA access control requirements mandate. And it's all for the reason of limiting access and entry points, I should say, and limiting impact if those entry points are exploited. You also mentioned segmentation. That would be my number five. Limit lateral movement and contain ransomware better by using segmentation. So restricting how systems communicate, limiting the blast radius, if you ensure that devices only talk to the devices they're supposed to talk to, eventually also threats will be able only to move within that, let's say, that radius, let's say, so they'll not be able to propagate further than that. So segmentation becomes critical, especially around the non-IT devices, which you probably cannot patch. You cannot restrict with EDRs or agents because they do not have agents. So segmentation really becomes the last layer and often only a layer of defense for medical devices and IoT devices. And last but not least, when preventive controls are bypassed, the visibility into the devices that I mentioned as first point and the understanding of the communication and access that third party vendors have in your network will allow you to quickly identify where compromise is going through and surgically restrict the vendor access, containing incidents while preventing disruptions to patient care. So I'll repeat. Number one is establish full visibility into all your assets, understand which systems, which devices and which data, for example, PHI third party vendors can access. Layer, understand what the risk and exposure of each device is and the impact of the loss of each devices is so that you can take mitigating and remediating step based on that risk and impact and then start taking measure to reduce access or enforce this privilege access like network access control, for example, segmentation. And eventually all of this will be able to enable you to respond faster to the next incident and take more informed decisions. So, Daniel, anything else to add? Anything you want to add to what I just said? I think you covered quite a lot. That's those are very, very good tips indeed for the reactive and for the proactive kind of protection and response to two incidents. I just think that really all of those connect very well to a lot of the research that we have been doing, tracking some of those actors, whether they're connected to Iran, whether they're connected to Russia, whether they're cyber criminals spread out there anywhere in the world. Those tips go a long way towards protecting you against techniques that they typically use. Thanks, Daniel. Thank you all for watching. And as last, I will invite you to read the blog post we just published on this topic. It has pretty much all the tips and tricks that I just mentioned, as well as the solution brief we we have just published. And it's part of the blog post as well, which explains how Forescot can help you through this journey and manage better your third party risks. Thank you all for watching. And thank you, Daniel.